Lucene search

PatchstackCVE-2024-37947

HistoryJul 20, 2024 - 9:15 a.m.

CVE-2024-37947

2024-07-2009:15:06

CWE-79

Patchstack

web.nvd.nist.gov

cve-2024-37947

web page generation

xss

cross-site scripting

themeum tutor lms

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

EPSS

Percentile

9.3%

JSON

Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Themeum Tutor LMS allows Stored XSS.This issue affects Tutor LMS: from n/a through 2.7.2.

Affected configurations

Vulners

Node

themeumtutor_lmsRange≤2.7.2wordpress

VendorProductVersionCPE
themeumtutor_lms*cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
themeum	tutor_lms	*	cpe:2.3:a:themeum:tutor_lms::::::wordpress::*

CNA Affected

[
  {
    "collectionURL": "https://wordpress.org/plugins",
    "defaultStatus": "unaffected",
    "packageName": "tutor",
    "product": "Tutor LMS",
    "vendor": "Themeum",
    "versions": [
      {
        "changes": [
          {
            "at": "2.7.3",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "2.7.2",
        "status": "affected",
        "version": "n/a",
        "versionType": "custom"
      }
    ]
  }
]

References

patchstack.com/database/vulnerability/tutor/wordpress-tutor-lms-plugin-2-7-2-cross-site-scripting-xss-vulnerability?_s_id=cve